In case only certain network participants are to be granted network access, RADIUS authentication has to be used on the switch. If a network participant cannot authenticate itself via RADIUS and therefore cannot act as a RADIUS Supplicant, as an alternative this participant can also be authenticated via its MAC address. When using an XS series switch in most cases other network devices will be used due to the XS series featuring mostly SFP ports, although the authentication of end devices on the Ethernet ports is possible.

This article describes how MAC address authentication for a network device can be configured on an XS series switch, so that network access is only granted for the authenticated device.



A switch without RADIUS supplicant support is connected to an XS series switch. The aim is to ensure, that only the switch can be connected directly to the XS series switch and no other network devices can be connected instead and are able to communicate via this port. Therefore the switch is authenticated via its MAC address. Thus no additional configuration steps are necessary on the switch without RADIUS supplicant support.


1) Configuring the RADIUS server on the LANCOM router:

1.1) In LANconfig, open the configuration for the router, navigate to the menu RADIUS → Server and set a checkmark next to RADIUS authentication active.

1.2) Navigate to the menu RADIUS services ports.

1.3) Check that the authentication port is set to 1812.

1.4) Go to the menu IPv4 clients.

1.5) Create a new entry and enter the following parameters:

  • IP address: Enter the XS series switch IP address so that it can authenticate itself as the RADIUS authenticator at the RADIUS server.
  • Netmask: Enter the netmask This stands for a single IP address.
  • Protocols: Check that the protocol is set to RADIUS.
  • Client secret: Enter a password that the XS series switch uses to authenticate itself at the RADIUS server. This is entered on the switch in step 2.8.

1.6) Go to the menu User table.

1.7) Create a new entry and adjust the following parameters:

  • Name / MAC address: Enter the MAC address of the network device, which is to be authenticated by its MAC address, in capital letters in the format 00:A0:57:12:34:56.
  • Password: Enter the MAC address of the network device analogous to the parameter Name / MAC address
  • Service type: From the drop-down menu, select Call check.
  • Expiry type: From the drop-down menu, select Never so that the user account remains permanently valid.

The Service type Call check is supported as of LCOS 10.30.

1.8) This concludes the configuration of the RADIUS server on the LANCOM router. You can now write the configuration back to the device.

2) Configuring the RADIUS Authenticator on the switch:

2.1) Connect to the webinterface of the device and go to the menu System → AAA → Authentication List.

2.2) Select the entry dot1xList and click Edit.

2.3) Under the Available Methods select the option Radius and click on the upper arrow symbol, so that it is applied to the Selected Methods. Click Submit afterwards.

The application of the option RADIUS is mandatory, as otherwise the switch won't forward the RADIUS requests to the RADIUS server.

2.4) Change to the menu Security → Port Access Control → Configuration.

2.5) For Admin Mode select the option Enable and click Submit.

2.6) Go to the menu Security → RADIUS → Named Server.

2.7) Click Add to enter parameters for a RADIUS server.

2.8) Modify the following parameters and click Submit:

  • IP Address/Host Name: Enter an IP address or the hostname of the RADIUS server which is to be used for the authentication.
  • Server Name: Optionally you can edit the group name for the RADIUS server (in this example the name remains on the default setting Default-RADIUS-Server).  
  • Port Number: Leave the RADIUS port on the default value 1812.
  • Secret: Enter the Client secret set in step 1.5.
  • Server Type: Select the option Primary

The status of the Named Server under Current has to change to True, so that the RADIUS requests are forwarded to the RADIUS server. 

2.9) Go to the menu Security → Authentication Manager → Interface Configuration.

Under no circumstances should the Admin Mode be activated (Enable) at this point in the menu Security → Authentication Manager → Configuration, as the authentication is activated globally for all ports. Otherwise configuration access to the switch won't be possible anymore!

2.10) Select the interface used for configuration access (in this example the port 1/0/9), for Control Mode select the option Force Authorized and click Submit. With this setting no authentication is performed on this port.

Set the option Force Authorized on all ports where no authentication is to be used.

2.11) Select a port to be authenticated (in this example 1/0/10), modify the following parameters and click Submit:

  • Make sure, that the option Auto is selected for the Control Mode. Thereby no communication is possible via this port until the connected network participant has authenticated itself.
  • For the Host Mode select the authentication method Multiple Host. Thereby only one network participant has to authenticate itself. Then all other participants can also communicate via this port. 
  • Activate the MAB Mode (MAC-based Authentication Bypass). Instead of username and password the MAC address is used for authentication

2.12) Go to the tab Configuration, select the option Enable for the Admin Mode and click Submit.

2.13) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

As an alternative you can also save the configuration as start configuration via the CLI with the command write memory.

2.14) Acknowledge the save process by clicking OK.